This general issue has been plaguing me for a couple of months. I first noticed it when trying to get a local virtual machine to fetch Python packages, so I already had an idea that certificates would be an issue. I solved it for my VMs, but hadn't until today been able to work out a solution for Docker. The trick is to add the certificates to Docker's cert store and have them persist. This is accomplished by using a bootlocal.shscript that executes every time the machine starts.

这个普遍的问题已经困扰了我几个月。我第一次注意到它是在尝试让本地虚拟机获取 Python 包时，所以我已经知道证书将是一个问题。我为我的虚拟机解决了这个问题，但直到今天才能够为 Docker 制定一个解决方案。诀窍是将证书添加到 Docker 的证书存储中并让它们持久化。这是通过使用bootlocal.sh每次机器启动时执行的脚本来实现的。

I assume if you've already found the answers for Linux, you already know the first steps. I will document them here for the sake of being thorough, because others may not have gotten this far. Start with #3 below if you've already done #1 and #2 by way of previous attempts.

我假设如果您已经找到了 Linux 的答案，那么您已经知道了第一步。为了彻底，我将在此处记录它们，因为其他人可能还没有做到这一点。如果您已经通过之前的尝试完成了#1 和#2，请从下面的#3 开始。

1. Get the set of corporate root certificates, which should be installed in your corporate-configured browser. In Chrome, you can go to Settings, click Show advanced settings, and scroll down to HTTPS/SSL, where you can choose Manage Certificates. My organization has put them in Trusted Root Certification Authorities and named them after the organization. Export each (I have two), one at a time. You can either choose DER formatand do step #2 below to convert to PEM, or you can choose Base-64 encoded x.509 (.CER)and simply rename the extension to .pemand skip step #2.

2. Once you have them saved to a known location, you will want to convert them to PEM format unless you save as duch. The easiest way I found to do this was to run the openssl.exe[1] command from within the Docker Quickstart Terminal.

   openssl x509 -inform der -in certificate.cer -out certificate.pem
   

3. Once you have the .pem files, you will want to copy them to a location to which your Docker machine has access to. Typically for MS Windows, you'll have /c/Users of the host machine automatically mounted inside your docker machine. I made a directory in c:\Users\my.username\certs and copied them there.

4. This step may not be strictly necessary, but it's what I did, and it works. You will want to copy those certificates into your boot2docker partition, which is persistent. I am connecting to my default machine, which IS something you will need to do for Step 5.

   MINGW64:$ docker-machine ssh default
   
   docker@default:~$ sudo -s
   root@default:/home/docker# mkdir /var/lib/boot2docker/certs
   root@default:/home/docker# cp /c/Users/my.username/certs/*.pem /var/lib/boot2docker/certs/
   

5. Now it's time to write a bootlocal.sh script, which will copy the certificates to the proper location each time the system starts.[2] If you haven't already, open an SSH connection to the machine, per Step 4.

   touch /var/lib/boot2docker/bootlocal.sh && chmod +x /var/lib/boot2docker/bootlocal.sh
   vi /var/lib/boot2docker/bootlocal.sh
   

   Insert the following and save the file:

   #!/bin/sh
   
   mkdir -p /etc/docker/certs.d && cp /var/lib/boot2docker/certs/*.pem /etc/docker/certs.d
   

6. Restart the machine, either by using the reboot command from within the machine, or by using the docker-machine command from the Docker terminal:

   docker-machine restart default
   

1. 获取一组企业根证书，它应该安装在您的企业配置的浏览器中。在 Chrome 中，您可以转到设置，单击显示高级设置，然后向下滚动到 HTTPS/SSL，您可以在其中选择管理证书。我的组织已将它们放在受信任的根证书颁发机构中，并以组织的名字命名它们。一次导出一个（我有两个）。您可以选择DER 格式并执行下面的步骤 #2 以转换为PEM，或者您可以选择Base-64 编码的 x.509 (.CER)并将扩展名重命名为.pem并跳过步骤 #2。

2. 将它们保存到已知位置后，除非您另存为 duch，否则您将希望将它们转换为 PEM 格式。我发现最简单的方法是从 Docker 快速入门终端中运行 openssl.exe[1] 命令。

   openssl x509 -inform der -in certificate.cer -out certificate.pem
   

3. 获得 .pem 文件后，您需要将它们复制到 Docker 机器可以访问的位置。通常对于 MS Windows，您将在您的 docker 机器内自动安装主机的 /c/Users。我在 c:\Users\ my.username\certs 中创建了一个目录并将它们复制到那里。

4. 这一步可能不是绝对必要的，但这是我所做的，并且有效。您需要将这些证书复制到持久的 boot2docker 分区中。我正在连接到我的默认机器，这是您需要在步骤 5 中执行的操作。

   MINGW64:$ docker-machine ssh default
   
   docker@default:~$ sudo -s
   root@default:/home/docker# mkdir /var/lib/boot2docker/certs
   root@default:/home/docker# cp /c/Users/my.username/certs/*.pem /var/lib/boot2docker/certs/
   

5. 现在是时候编写 bootlocal.sh 脚本了，它会在每次系统启动时将证书复制到正确的位置。 [2] 如果您还没有，请按照第 4 步打开与计算机的 SSH 连接。

   touch /var/lib/boot2docker/bootlocal.sh && chmod +x /var/lib/boot2docker/bootlocal.sh
   vi /var/lib/boot2docker/bootlocal.sh
   

   插入以下内容并保存文件：

   #!/bin/sh
   
   mkdir -p /etc/docker/certs.d && cp /var/lib/boot2docker/certs/*.pem /etc/docker/certs.d
   

6. 重新启动机器，可以在机器内使用 reboot 命令，也可以从 Docker 终端使用 docker-machine 命令：

   docker-machine restart default
   

Now you should be able to run 'hello-world' and others. I hope this helps.

现在您应该能够运行 'hello-world' 和其他程序。我希望这有帮助。

Sources

来源

[1] https://serverfault.com/questions/254627/how-to-convert-a-cer-file-in-pem

[1] https://serverfault.com/questions/254627/how-to-convert-a-cer-file-in-pem

[2] https://github.com/boot2docker/boot2docker/issues/347#issuecomment-189112043

[2] https://github.com/boot2docker/boot2docker/issues/347#issuecomment-189112043

A way to do it With Firefox, go to url: https://auth.docker.io/token?scope=repository%3Alibrary%2Fhello-world%3Apull&service=registry.docker.io, click view details for the certificate and extract it as crt.

使用 Firefox 的方法，转到 url：https: //auth.docker.io/token?scope =repository%3Alibrary%2Fhello-world%3Apull &service =registry.docker.io，单击查看证书的详细信息并提取它作为crt。

Copy the file to VM where the os stores the crt:

将文件复制到操作系统存储 crt 的 VM：

CentOS

CentOS

etc/pki/ca-trust/source/anchors/
# Then run
update-ca-trust force-enable
update-ca-trust extract

Ubuntu

Ubuntu

/usr/share/ca-certificates
#Then run
sudo dpkg-reconfigure ca-certificates

Reboot docker, and it should work

重新启动 docker，它应该可以工作

For exporting certificate, you can choose file format as "Base-64 encoded x.509(.CER)" and finally rename the certificate extension as .pem.

对于导出证书，您可以选择文件格式为“ Base-64 编码的 x.509(.CER)”，最后将证书扩展名重命名为.pem。